Re: [Spud] Extensibility considered harmful? was Re: [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
Kyle Rose <krose@krose.org> Wed, 10 August 2016 12:41 UTC
Return-Path: <krose@krose.org>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD3612B076 for <spud@ietfa.amsl.com>; Wed, 10 Aug 2016 05:41:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pk3r3YPA7jvL for <spud@ietfa.amsl.com>; Wed, 10 Aug 2016 05:41:36 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDE3212D0FF for <spud@ietf.org>; Wed, 10 Aug 2016 05:41:35 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id 52so19915788qtq.3 for <spud@ietf.org>; Wed, 10 Aug 2016 05:41:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xT9h+OQhi5q6C/D2iChWaQKZ2/+xezJex5oVTN+tlz8=; b=pHV6sk4CeNI1cC+Yfh+wB29LZIhWkKZ5etgBEhEHMeJ5SXZYu8qbGnH0J88R1MMZrG ZjFdgdKV7hTfitBrl0jINjp/kgBL5BDE3Xg+oTOXLzowYkM/JEBfihwHH2X9HBOYCOxv szQ80pdbcnVsgEWpytXRmLpMUeWxGD4rc2fn4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xT9h+OQhi5q6C/D2iChWaQKZ2/+xezJex5oVTN+tlz8=; b=OsUWirUubFT2ooNUGHacIKZh9+Ey30au1jWmL5G7DLrRIgZ7kU5BqR3ZIDw4JOWIio Cdmb3slAqMsDpdsBEE11U+ZOC8M8h2fb01NWdXEqx5OcpyRKgfZ/vwlwluxPyTGOhoyL TcbI9TkmVRLojtAgC8FdmFDXgLDO3Gx6/DrGJUY/7KiEi02j9YXrpaZDfX4Zu0Cfw06O hMXLwx+aoK5xFoLBCAVyBqVxZKn7YmpgK88D3NJejv20VHOYoUSJ+aC0kVEFxZIsiMLr keVNKBaQ7Z2LSG7d6hxp3i4HKZLpgmL+QfM5Rt3SOFGNTaQsnIaTbKZFDs3m/uaD92bt vFSQ==
X-Gm-Message-State: AEkoouvpOd5rlolw3O2Aaz5ytC3ZNkpqu7t/xALHv5MjJDjL/O/guoNo6MvcXJrPfbtEWQY0o31mz+puLyA0mg==
X-Received: by 10.237.45.135 with SMTP id i7mr4071432qtd.30.1470832894980; Wed, 10 Aug 2016 05:41:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.94.70 with HTTP; Wed, 10 Aug 2016 05:41:33 -0700 (PDT)
X-Originating-IP: [2001:470:1f07:121:a85a:f18f:f2c0:e72d]
In-Reply-To: <fd9d6567-6dbc-3044-7fb2-acaa560de401@cs.tcd.ie>
References: <409B6F52-B637-4333-915B-A8127C80C98B@trammell.ch> <402A30BB-1A20-4D54-95CA-7C50D8C0F26B@tik.ee.ethz.ch> <dc29fa73-88fd-3dc4-7497-f1bd2fa60422@cs.tcd.ie> <8722FE8E-1026-43D5-BE17-1D6B4031C0D8@tik.ee.ethz.ch> <1b261e1e-a543-53df-8a2a-7dddae415a14@cs.tcd.ie> <D2CEDF13-E508-4732-B8F6-98FBBDDC7EE6@tik.ee.ethz.ch> <f5c06c8a-5bef-86f6-5c62-302e7f6f75bf@cs.tcd.ie> <B58C7986-4B91-41FB-A6B6-F8E7BD25E799@tik.ee.ethz.ch> <6a61c305-c1f6-d14d-d0c4-d9809cfb5f78@cs.tcd.ie> <F7541B2E-86C2-49C6-B616-BDCC567CDAFC@lurchi.franken.de> <92b31df8-f557-a935-a3d8-1f7bf7ee8689@cs.tcd.ie> <E9B17055-DB61-41C6-9D9F-7510E9EC1ADE@lurchi.franken.de> <45d1e4f8-43fd-181f-b902-73f129e8518b@cs.tcd.ie> <B018BDCD-64EF-4F86-9B0B-FA73EA63A5C9@trammell.ch> <b4a87191-0bb9-7c3a-9717-68ae6ef33406@cs.tcd.ie> <CA+9kkMB+j=My1i2Ygyz1VaO+ZjgtPr-SjoEKhcdve8gw-vq0Jw@mail.gmail.com> <5113d019-2405-fba0-0868-04a05ccce3f1@cs.tcd.ie> <CAJU8_nWgdFNAKwegm9yXKcFB3BTkGeEQBPm3H4bY8JrWtTyXrQ@mail.gmail.com> <fd9d6567-6dbc-3044-7fb2-acaa560de401@cs.tcd.ie>
From: Kyle Rose <krose@krose.org>
Date: Wed, 10 Aug 2016 08:41:33 -0400
Message-ID: <CAJU8_nWVi3g7PG00imGb4oG2JJ33UkJZds3CLDUDr0jucChokQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="94eb2c069e183acbbb0539b6f802"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/86GsyP-DWSqwDcz5GInsgAlqgG8>
Cc: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>, Brian Trammell <ietf@trammell.ch>, Ted Hardie <ted.ietf@gmail.com>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, spud <spud@ietf.org>
Subject: Re: [Spud] Extensibility considered harmful? was Re: [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2016 12:41:40 -0000
On Sat, Aug 6, 2016 at 8:38 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hi Kyle, > > Again, sorry for the slow response. But we're likely evens on that:-) > And again for me. :-) > > Perhaps ironically, this argument has basically re-convinced me that > > privacy at the routing layers on the public internet is hopeless. > > FWIW, I never agree that privacy is hopeless. > I'll agree that "hopeless" is a bit hyperbolic, but the degree of hopelessness depends on what the threat model is. For coercion of single bits, I'm willing to stand by that phrasing. > And even if it, in some sense, were, I firmly believe that we can > choose to make the Internet worse wrt privacy or to not do that. > > So even if we cannot "solve" the "privacy problem," there is still > an onus on us (as good engineers) to not make that worse and to define > tooling that would allow folks to make things better should they later > choose to deploy those tools. (That last has to be done quite > selectively though, only after some tool looks like it might get at > least some real traction, as otherwise we enter the realm of speculative > research and not engineering.) > A necessary element to the approach you outline is having a coherent vision for what we want a privacy-first internet to look like, and how we would get there. I don't think an incremental approach based on RFC 6973 and derivatives is going to achieve that because so far what I see is a blanket prohibition on extensibility out of fear that some mechanism could be used for nefarious purposes, when what protocol designers need is guidance on what they *can* do. The threat model in 7624 may be a good starting point for this, but the prohibitions implied there need to be inverted into a set of design guidelines that the IAB considers acceptable. I don't think the black box approach to standards approval is the right one, but it feels like that's where we are without explicit guidance. Furthermore, during the transition phase between the internet of 2016 and the internet of 2036, we can't hamstring all standards development because not all the building blocks for the privacy-first internet are in place. Users have needs, and if they aren't fulfilled by the IESG, users will migrate to getting their standards elsewhere, and everyone will be worse off from the resulting fragmentation. Our sweet spot is not standing athwart all development, yelling "stop!": it's balancing individual user needs and wider privacy concerns and standardizing something that will work well enough that people use it, that don't materially worsen the existing privacy problems, and that we can show will improve such things over time. (Emphasis on "show".) We don't have dictatorial control over the internet, but a lot of these discussions seem to implicitly frame the problem that way. If we don't give users what they want, we risk becoming irrelevant. Concern about one bit seems not to fit with a balanced approach; worrying about a generic key/value mechanism not under endpoint control probably does. Where do we draw the line, and why? > Also - I'm not sure what you mean by "routing layers" nor how that > maps to the transport issues SPUD/PLUS is trying to address. > Sorry, by "routing layers" I mean essentially the metadata that must be made known to third-party network elements in order to direct packets to a logical destination: DNS requests and the destination address in a packet are the most obvious of these, but it also includes things like SNI for certain layer 3 routers and load balancers. I think we would both (all?) agree that today there is too much public metadata, and that metadata is not narrowly directed at only those network devices that actually need it. I would argue we need to start scoping out possible reductions in this envelope, both in a v6 internet and in an ideal world with the protocols we really want. We can then express balanced guidance on privacy protections for the internet we have, allowing standards development to continue for users' real-world needs, while also moving forward in the research/experimental direction toward the internet we want. Constraining standards development in the internet we have based on what's possible in the internet we want, but haven't scoped or defined, and that we might get at some undetermined point in the future, is not acting in the interests of users. > In that and many cases though the other endpoint would not (in general) > know of the silly addressing scheme. If we standardise such, then all > endpoints know of the silliness and the situation is worse. > Understood, but the even/odd address thing is something any ISP or government can unilaterally implement and enforce for all of its own users: it requires no further standards work. At least with IPv6, I'd argue the only unilateral mitigation for this kind of concern is to shut off the network. So including this in the threat model as anything other than "accepted risk" effectively shuts down all discussion of protocol extensibility. > I'm also not sure that coercion is the right term for this part of the > problem. At least as I envisage things, if a middlebox can ever add a > standardised extensible value to the flow, then we are likely to run > into these issues. I read your initial objection as 'the ISP can make the user add this information, or a blank space for fill-in by path elements, to its PLUS header before signing'. Coercing users into adding either the information itself or a blank space for the information (such that modifications to that value are allowed by recipient stacks, even in the presence of a MAC for the keys and all the other values) seems like the general threat here. For each specific threat, the two relevant follow-up questions seem to be: (1) How does this extension make privacy more difficult to achieve than it is today? (2) How does this extension make privacy more difficult to achieve than it would otherwise be under this new internet we'll have deployed X years from now, and is the objection relevant if the protocol stack will look entirely different? I am using a comparative ("more difficult") rather than an absolute (e.g., "unachievable") because there are other, heavier-weight approaches like TOR that can give us a lot of what we want on top of the public internet of today. It's very unclear to me that SPUD/PLUS can work and > not allow such addition whilst also not introducing new round-trips. > But we'll need to wait and see what the PLUS proponents actually > propose before we can really analyse that. > I think the burden is on both sides of the argument: the PLUS proponents need to demonstrate a need and a protocol that narrowly achieves that need, and privacy advocates need to come to some public agreement on what degree of extensibility is okay, and formalize that so protocol designers aren't shooting arrows in the dark or at a moving target. Kyle
- Re: [Spud] Extensibility considered harmful? was … Kyle Rose
- Re: [Spud] Extensibility considered harmful? was … Stephen Farrell
- Re: [Spud] Extensibility considered harmful? was … Stephen Farrell
- [Spud] Detecting and Defeating TCP/IP Hypercookie… Brian Trammell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Mirja Kühlewind
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephan Neuhaus
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] Extensibility considered harmful? was … Kyle Rose
- Re: [Spud] Extensibility considered harmful? was … Brian Trammell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Eliot Lear
- Re: [Spud] [Privsec-program] Detecting and Defeat… Eliot Lear
- Re: [Spud] [Privsec-program] Detecting and Defeat… Christian Huitema
- Re: [Spud] Extensibility considered harmful? was … Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Christian Huitema
- Re: [Spud] [Privsec-program] Detecting and Defeat… Spencer Dawkins at IETF
- Re: [Spud] [Privsec-program] Detecting and Defeat… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Spencer Dawkins at IETF
- Re: [Spud] Extensibility considered harmful? was … Ted Hardie
- Re: [Spud] [Privsec-program] Detecting and Defeat… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Eliot Lear
- Re: [Spud] [Privsec-program] Detecting and Defeat… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Eliot Lear
- Re: [Spud] [Privsec-program] Detecting and Defeat… Eliot Lear
- Re: [Spud] [Privsec-program] Detecting and Defeat… Eliot Lear
- Re: [Spud] Extensibility considered harmful? was … Stephen Farrell
- [Spud] Extensibility considered harmful? was Re: … Brian Trammell
- Re: [Spud] Detecting and Defeating TCP/IP Hyperco… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Spencer Dawkins at IETF
- Re: [Spud] [Privsec-program] Detecting and Defeat… Michael Tuexen
- [Spud] Extensibility considered harmful? was Re: … Brian Trammell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] Detecting and Defeating TCP/IP Hyperco… Christian Huitema
- Re: [Spud] [Privsec-program] Detecting and Defeat… Michael Tuexen
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Eliot Lear
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Michael Tuexen
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Mirja Kühlewind
- Re: [Spud] [Privsec-program] Detecting and Defeat… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephan Neuhaus
- Re: [Spud] [Privsec-program] Detecting and Defeat… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Mirja Kühlewind
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Mirja Kühlewind
- Re: [Spud] [Privsec-program] Detecting and Defeat… Joe Touch
- Re: [Spud] [Privsec-program] Detecting and Defeat… Ted Hardie
- Re: [Spud] [Privsec-program] Detecting and Defeat… Ted Hardie
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] Detecting and Defeating TCP/IP Hyperco… Stephan Neuhaus
- Re: [Spud] Detecting and Defeating TCP/IP Hyperco… Tom Herbert
- Re: [Spud] Detecting and Defeating TCP/IP Hyperco… Brian Trammell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Brian Trammell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Mirja Kühlewind
- Re: [Spud] Detecting and Defeating TCP/IP Hyperco… Tom Herbert
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell
- Re: [Spud] [Privsec-program] Detecting and Defeat… Stephen Farrell